[WIP] RHTAP-6071 Replace BitBucket AppPassword with API token

[jkopriva]

Assisted-by: Cursor

Summary by CodeRabbit

• Breaking Changes

  • Bitbucket authentication configuration updated: replaced app password and access token fields with a single token field. Users must update their Bitbucket Git provider configuration to use token-based authentication.

• Documentation

  • Updated authentication documentation to reflect token-based approach for Bitbucket integration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates Bitbucket authentication from a dual-path system (bearer accessToken or basic auth with appPassword) to a unified token-based authentication approach. Changes consolidate credential handling across the API client layer, HTTP client implementation, type definitions, and Git provider integrations.

Changes

Cohort / File(s)	Summary
Core API Client Layer src/api/bitbucket/bitbucket.client.ts, src/api/bitbucket/http/bitbucket-http.client.ts, src/api/bitbucket/types/bitbucket.types.ts	Refactored authentication to use only username+token with Basic Authorization header (base64 encoding). Removed appPassword and accessToken fields from BitbucketClientOptions and consolidated into single token field. Bearer token path eliminated.
Bitbucket Provider Integration src/rhtap/core/integration/git/providers/bitbucket.ts	Replaced getAppPassword() method with getToken(), updated initBitbucketClient() to pass token instead of appPassword, and aligned error messages to reference token absence rather than app password.
GitOps and Jenkins Command Handlers src/rhtap/postcreation/strategies/commands/addAzureSecrets.ts, src/rhtap/postcreation/strategies/commands/addJenkinsSecretsCommand.ts	Updated credential retrieval calls from getAppPassword() to getToken() in Bitbucket Git provider code paths.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly Related PRs

• tssc-test#75: Modifies Bitbucket client and HTTP client code (BitbucketClient, BitbucketHttpClient, BitbucketClientOptions) with authentication handling changes—parallel authentication refactoring work.
• tssc-test#189: Modifies Bitbucket provider integration and Jenkins secret handling in the same files—related credential management changes.

Suggested Labels

api-client, security, integration, enhancement

Suggested Reviewers

• xinredhat
• BohdanMar
• jsmid1

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: replacing Bitbucket AppPassword authentication with API token across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan for PR comments

• Generate coding plan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/rhtap/postcreation/strategies/commands/addJenkinsSecretsCommand.ts (1)

137-139: Token retrieval change is consistent with the Azure secrets command.

The update from getAppPassword() to getToken() maintains consistency with the unified token-based authentication approach across the codebase.

Note: The getGitOpsAuthPassword() method (lines 129-143) is nearly identical to the one in addAzureSecrets.ts (lines 101-115). Consider extracting this to a shared utility in a future refactor to reduce duplication.

,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/rhtap/postcreation/strategies/commands/addJenkinsSecretsCommand.ts`
around lines 137 - 139, Replace Bitbucket's getAppPassword usage with the
unified getToken call inside getGitOpsAuthPassword() so the GitType.BITBUCKET
branch calls BitbucketProvider.getToken(); ensure the BitbucketProvider
implementation exposes getToken() and returns the same token shape expected by
callers. Also factor out the nearly identical getGitOpsAuthPassword() logic
(present in addJenkinsSecretsCommand.ts and addAzureSecrets.ts) into a shared
utility function (e.g., gitOpsAuth.getTokenForProvider) to remove duplication
and have both files call that shared helper.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/rhtap/postcreation/strategies/commands/addJenkinsSecretsCommand.ts`:
- Around line 137-139: Replace Bitbucket's getAppPassword usage with the unified
getToken call inside getGitOpsAuthPassword() so the GitType.BITBUCKET branch
calls BitbucketProvider.getToken(); ensure the BitbucketProvider implementation
exposes getToken() and returns the same token shape expected by callers. Also
factor out the nearly identical getGitOpsAuthPassword() logic (present in
addJenkinsSecretsCommand.ts and addAzureSecrets.ts) into a shared utility
function (e.g., gitOpsAuth.getTokenForProvider) to remove duplication and have
both files call that shared helper.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f1fc5aec-4cf4-424c-85fc-0d507b81e02b

📥 Commits

Reviewing files that changed from the base of the PR and between 5c62b63 and 6566f7c.

⛔ Files ignored due to path filters (1)

• README.md is excluded by none and included by none

📒 Files selected for processing (6)

• src/api/bitbucket/bitbucket.client.ts
• src/api/bitbucket/http/bitbucket-http.client.ts
• src/api/bitbucket/types/bitbucket.types.ts
• src/rhtap/core/integration/git/providers/bitbucket.ts
• src/rhtap/postcreation/strategies/commands/addAzureSecrets.ts
• src/rhtap/postcreation/strategies/commands/addJenkinsSecretsCommand.ts

[jkopriva]

This is blocked until we migrate to RHDH 1.10

[konflux-ci-qe-bot]

@jkopriva: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name	Status	Rerun command	Build Log	Test Log
e2e-4.20-8kjxz	Failed	/retest	View Pipeline Log	View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/rhtap-team/rhtap-cli:e2e-4.20-8kjxz

Test results analysis

<not enabled>

OCI Artifact Browser URL

<not enabled>